Merge pull request #2664 from splunk/SRS_AD_PrivEsc

Adding AD Privilege Escalation SRS Detections

dev_ssa/endpoint/ssa___windows_default_group_policy_object_modified_with_gpme.yml

@@ -0,0 +1,72 @@
+name: Windows Default Group Policy Object Modified with GPME
+id: bcb55c13-067b-4648-98f3-627010f72520
+version: 1
+date: '2023-05-02'
+author: Mauricio Velazco, Splunk
+status: production
+type: TTP
+description: The following analytic identifies the potential edition of a default Group Policy Object. A fresh installation of an Active Directory network will typically contain
+  two default group policy objects `Default Domain Controllers Policy` and `Default Domain Policy`. The default domain controllers policy is used to enforce and set policies to all the domain controllers within the domain environment.
+  The default domain policy is linked to all users and computers by default. An adversary who has obtained privileged access to an Active Directory network may modify the default group 
+  policy objects to obtain further access, deploy persistence or execute malware across a large number of hosts. Security teams should monitor the edition of the default GPOs.
+data_source:
+- Windows Security 4688
+search:
+  selection1:
+    process.file.name:
+    - mmc.exe
+    process.cmd_line|contains: gpme.msc
+  selection2:
+    process.cmd_line|contains: 31B2F340-016D-11D2-945F-00C04FB984F9
+  selection3:
+    process.cmd_line|contains: 6AC1786C-016F-11D2-945F-00C04fB984F9
+  condition: selection1 or selection2 or selection3
+how_to_implement:  To successfully implement this search, you need to be ingesting
+  logs with the process name, parent process, and command-line executions from your
+  endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the
+  Sysmon TA.
+known_false_positives: The default Group Policy Objects within an AD network may be legitimately updated for administrative operations, filter as needed.
+references:
+- https://attack.mitre.org/techniques/T1484/
+- https://attack.mitre.org/techniques/T1484/001
+- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/
+- https://adsecurity.org/?p=2716
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11)
+tags:
+  analytic_story:
+  - Active Directory Privilege Escalation
+  asset_type: Endpoint
+  confidence: 50
+  impact: 100
+  message: A default group policy object was opened with Group Policy Manage Editor on $dest$
+  mitre_attack_id:
+  - T1484
+  - T1484.001
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: parent_process_name
+    type: Process
+    role:
+    - Parent Process
+  - name: process_name
+    type: Process
+    role:
+    - Child Process
+  product:
+  - Splunk Behavioral Analytics
+  required_fields:
+  - process_name
+  - _time
+  - dest_device_id
+  - dest_user_id
+  - process
+  risk_score: 50
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log
+    source: XmlWinEventLog

dev_ssa/endpoint/ssa___windows_file_share_discovery_with_powerview.yml

@@ -0,0 +1,64 @@
+name: Windows File Share Discovery With Powerview
+id: ec4f671e-c736-4f78-a4c0-8fe809e952e5
+version: 1
+date: '2023-05-02'
+author: Mauricio Velazco, Splunk
+status: production
+type: TTP
+description: The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all
+  active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information
+  like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them 
+  for Privilege Escalation or Lateral Movement.
+data_source:
+- Powershell 4104
+search:
+  selection1:
+    process.cmd_line|re: 'invoke-sharefinder'
+  condition: selection1
+how_to_implement: To successfully implement this analytic, you will need to enable
+  PowerShell Script Block Logging on some or all endpoints. Additional setup here
+  https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
+known_false_positives: Unknown
+references:
+- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1
+- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
+- https://attack.mitre.org/techniques/T1135/
+tags:
+  analytic_story:
+  - Active Directory Privilege Escalation
+  asset_type: Endpoint
+  confidence: 80
+  impact: 60
+  message: Invoke-ShareFinder commandlet was executed on $Computer$
+  mitre_attack_id:
+  - T1552
+  - T1552.006
+  observable:
+  - name: Computer
+    type: Hostname
+    role:
+    - Victim
+  - name: UserID
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Behavioral Analytics
+  required_fields:
+  - _time
+  - EventCode
+  - ScriptBlockText
+  - Opcode
+  - Computer
+  - UserID
+  kill_chain_phases:
+  - Exploitation
+  risk_score: 48
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log
+    source: XmlWinEventLog
+    sourcetype: XmlWinEventLog
+    update_timestamp: true

dev_ssa/endpoint/ssa___windows_findstr_gpp_discovery.yml

@@ -0,0 +1,65 @@
+name: Windows Findstr GPP Discovery
+id: 73ed0f19-080e-4917-b7c6-56e1760a50d4
+version: 1
+date: '2023-05-02'
+author: Mauricio Velazco, Splunk
+status: production
+type: TTP
+description: The following analytic identifies the use of the findstr command employed to search for unsecured credentials Group Policy Preferences (GPP).
+  GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.
+  These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).
+  While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL.
+data_source:
+- Windows Security 4688
+search:
+  selection1:
+    process.file.name:
+    - findstr.exe
+    process.cmd_line|contains: sysvol
+    process.cmd_line|contains: cpassword
+  condition: selection1 
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the process name, parent process, and command-line executions from your
+  endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the
+  Sysmon TA.
+known_false_positives: Administrators may leverage findstr to find passwords in GPO to validate exposure. Filter as needed.
+references:
+- https://attack.mitre.org/techniques/T1552/006/
+- https://pentestlab.blog/2017/03/20/group-policy-preferences/
+- https://adsecurity.org/?p=2288 
+- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/
+- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30
+tags:
+  analytic_story:
+  - Active Directory Privilege Escalation
+  asset_type: Endpoint
+  confidence: 80
+  impact: 70
+  message: Findstr was executed to discover GPP credentials on $dest$
+  mitre_attack_id:
+  - T1552
+  - T1552.006
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Behavioral Analytics
+  required_fields:
+  - process_name
+  - _time
+  - dest_device_id
+  - dest_user_id
+  - process
+  risk_score: 56
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log
+    source: XmlWinEventLog

dev_ssa/endpoint/ssa___windows_powersploit_gpp_discovery.yml

@@ -0,0 +1,67 @@
+name: Windows PowerSploit GPP Discovery
+id: fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2
+version: 1
+date: '2023-05-02'
+author: Mauricio Velazco, Splunk
+status: production
+type: TTP
+description: The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP).
+  GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.
+  These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).
+  While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL.
+data_source:
+- Powershell 4104
+search:
+  selection1:
+    process.cmd_line|re: 'get-gpppassword'
+  condition: selection1
+how_to_implement: To successfully implement this analytic, you will need to enable
+  PowerShell Script Block Logging on some or all endpoints. Additional setup here
+  https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
+known_false_positives: Unknown
+references:
+- https://attack.mitre.org/techniques/T1552/006/
+- https://pentestlab.blog/2017/03/20/group-policy-preferences/
+- https://adsecurity.org/?p=2288 
+- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/
+- https://adsecurity.org/?p=2288
+- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30
+tags:
+  analytic_story:
+  - Active Directory Privilege Escalation
+  asset_type: Endpoint
+  confidence: 80
+  impact: 70
+  message: Commandlets leveraged to discover GPP credentials were executed on $Computer$
+  mitre_attack_id:
+  - T1552
+  - T1552.006
+  observable:
+  - name: Computer
+    type: Hostname
+    role:
+    - Victim
+  - name: UserID
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Behavioral Analytics
+  required_fields:
+  - _time
+  - EventCode
+  - ScriptBlockText
+  - Opcode
+  - Computer
+  - UserID
+  kill_chain_phases:
+  - Exploitation
+  risk_score: 56
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log
+    source: XmlWinEventLog
+    sourcetype: XmlWinEventLog
+    update_timestamp: true

dev_ssa/endpoint/ssa___windows_powerview_ad_access_control_list_enumeration.yml

@@ -0,0 +1,64 @@
+name: Windows PowerView AD Access Control List Enumeration
+id: 2b301d6c-0527-4dbd-8d2d-5345bc4be0cf
+version: 1
+date: '2023-05-02'
+author: Mauricio Velazco, Splunk
+status: production
+type: TTP
+description: The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets `Get-ObjectAcl` or `Get-DomainObjectAcl`. This commandlets
+  are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within 
+  the organizations network, such as domain controllers, users, groups, computers, shares, etc.  Maintaining Active Directory permissions is complicated and hard to manage, especially in complex 
+  and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged
+  by attackers to identify and exploit configuration weaknesses.
+data_source:
+- Powershell 4104
+search:
+  selection1:
+    process.cmd_line|re: 'get-objectacl'
+  selection2:
+    process.cmd_line|re: 'get-domainobjectacl'
+  condition: selection1 or selection2
+how_to_implement: To successfully implement this analytic, you will need to enable
+  PowerShell Script Block Logging on some or all endpoints. Additional setup here
+  https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
+known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed.
+references:
+- https://attack.mitre.org/techniques/T1078/002/
+- https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89
+- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces
+- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/
+tags:
+  analytic_story:
+  - Active Directory Privilege Escalation
+  asset_type: Endpoint
+  confidence: 50
+  impact: 40
+  message: PowerView AD acccess control list enumeration detected on $Computer$
+  mitre_attack_id:
+  - T1078.002
+  - T1069
+  observable:
+  - name: Computer
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Behavioral Analytics
+  required_fields:
+  - _time
+  - EventCode
+  - ScriptBlockText
+  - Opcode
+  - Computer
+  - UserID
+  kill_chain_phases:
+  - Exploitation
+  risk_score: 20
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log
+    source: XmlWinEventLog
+    sourcetype: XmlWinEventLog
+    update_timestamp: true